Breached-password-check/README.md

16 lines
904 B
Markdown
Raw Normal View History

2023-01-12 11:59:58 +01:00
# Password check using k-Anonymity
PHP function for checking passwords against the pwnedpasswords.com database
You can add this function inside your functions file.
k-Anonymity means that it does NOT send your password over the internet but hashes it and only sends a part of the hash to request a list of all hashed passwords which have been compromised.
You will not send your password over the internet!
For example your password is 'Welcome01'
This will be hashed to: a1a2094820f0313d61da4f44032013eaf6c2b7d3
Only 'a1a20' will be send to the pwnedpasswords.com API which will return a list of ALL passwords which have been compromised where the hash starts with 'a1a20'.
You then download that list and check if the full hashed password is found it the list.
In case it is found your password is compromised and you can build your site that this password cannot be used or just warn the user.